Penetration testing is the process of assessing computer systems, networks and applications to identify and address security vulnerabilities that could be exploited by cybercriminals.
Redscan is an award-winning provider of cyber security penetration testing services. Our range of CREST approved ethical hacking engagements enable organisations of all sizes to effectively manage cyber security risk by identifying, ethically exploiting, and helping to remediate vulnerabilities that could lead to network, systems, applications and personnel being compromised by malicious attackers.
Regular pen testing helps improve your cyber security by:
- Fixing vulnerabilities before they are exploited by cybercriminals
- Providing independent assurance of security controls
- Improving awareness and understanding of cyber security risks
- Supporting PCI DSS, ISO 27001 and GDPR compliance
- Demonstrating a continuous commitment to security
- Supplying the insight needed to prioritise future investments
Web applications such as websites and programs delivered over the internet play a vital role in day-to-day business operations. Many web apps process sensitive data such as user and financial information, which means they are frequently targeted by cybercriminals. As web apps become increasingly complex, the range of exploitable vulnerabilities is rising.
web application penetration test follows a tried and tested methodology to identify, exploit and help address vulnerabilities across web and thick clients:
Redscan’s web app pen testing experts work with your team to define websites and programs in scope and devise an appropriate strategy and timeline for the engagement.
Reconnaissance and intelligence gathering our ethical hackers utilise their knowledge of offensive security and threat intelligence from in-house research and leading security exchanges like CiSP to gather information that could be used to compromise targeted web applications.
Using a combination of manual and automated tools, our web app testers conduct a full assessment of in-scope applications to identify security vulnerabilities such as SQL injection and cross-site scripting problems plus flaws in application logic and session management flows.
Our web app testers analyse and attempt to harmlessly exploit all design, implementation and operational vulnerabilities identified.
Once an assessment is complete, we deliver a formal report and debrief outlining key findings, supplementary technical information, and a prioritised list of remedial actions to help address any identified risks and exposures.
Of all the available types of cyber security assessment, a simulated targeted cyber-attack is as close as you can get to understanding how prepared your organisation is to defend against a skilled and persistent hacker.
A Red Team Operation from Keystone is designed to far exceed the remit of traditional security test by rigorously challenging the effectiveness of technology, personnel and processes to detect and respond to a highly focussed, multi-faceted attack conducted over a period of weeks and months.
- Validate your response to attack
- Identify and classify security risks
- Uncover little-known weaknesses
- Address vulnerabilities
- Enhance Blue Team operations
- Verify the effectiveness of cyber security investments
Typically, SCADA systems are installed for long term use, and are then less frequently updated afterward due to the complexity involved in maintaining the SCADA hardware, software and communication links. As a result, security is often weaker than would otherwise be expected in such a critical system, which at any point could be compromised if due diligence is not performed. For SCADA systems, it is important to note that what security controls do exist are often not integrated into the solution, but instead are added as an after-thought
The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.
To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience